3

What are the risks associated with import of third-party Root CA certificate into the Enterprise NTAuth Store in Windows domain except that the CA is then trusted to issue certificates?

This is for test purpose to fix an issue with wireless clients getting a Windows Security Alert when connecting to a wireless network and being authenticated via new NPS server running on WS2012 R2.

The Root CA certificate is already present in computer store of the client machines under Trusted Root Certificate Authorities, but the window still appears on first connection attempt.

The goal is to get rid of the pop-up window:

enter image description here

EDIT: I will elaborate a little bit.

The goals:

  • allow domain-joined devices to authenticate via NPS;
  • use 3rd party certificate;
  • users should not get Security Warning pop-up window;

NPS on WS2012R2 is used. PEAP/MsCHAPv2 used for authentication.

Volodymyr Molodets
  • 2,424
  • 9
  • 36
  • 52

2 Answers2

5

There are several points in the question.

First, NTAuth store is used to store *issuing* CA certificates that are eligible to issue logon certificates (when client certificate is mapped to a user account in Active Directory during authentication). If CA certificate is presented in this store, it will be able to issue certificates that can impersonate any user account. The risk is obvious and I wouldn't trust any CA that is out of company control.

Presented dialog informs that issuer of the presented RADIUS certificate is not configured in the *wireless/VPN* profile.

What you shall to do is to configure wireless connection as follows: enter image description here

in field 2, you can specify a hard-coded list of trusted RADIUS servers. In field 3, you can specify trusted root authorities that are allowed to issue certificates to RADIUS servers for this profile.

In other words, if you connect to RADIUS specified in field 2 and RADIUS certificate chains up to any selected root CA in field 3, then you will connect silently (without warning dialog). If any of the requirement do not meet, then you will recieve warning dialog.

In domain environment, you can preconfigure wireless profiles by using group policies: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Good idea, I've actually thought about this, but could not put all the things together. This approach looks to be more secured and controlled. I will give it a shot and get back with the results. Thanks! – Volodymyr Molodets Aug 15 '15 at 22:03
  • This was it CryptoGuy, u were right. There was existing wireless network profile distributed via GPO to the clients and it had a couple of certs attached to it. After creating sample GPO with same certificates and pointing to a new RADIUS - it was tested successfully. Thanks for your help! – Volodymyr Molodets Aug 18 '15 at 06:13
  • Glad to help you! – Crypt32 Aug 18 '15 at 11:09
-1

The NTAuth store is a central repository for certificates, stored in Active Directory, that are to be trusted by all forest/domain members.

There is some amount of risk associated with every single certificate that you choose to trust. It is usually a very small amount, but it is non-zero.

The reason it's risky is, similar to real life, any time you trust someone, there is a risk that your trust could either be betrayed or prove to have been misplaced. This could happen either maliciously, or on accident.

A Certification Authority could be hacked or otherwise have its private key leaked, and at that point, the hackers have the ability to impersonate the Certification Authority - whom you trust implicitly.

However, as I said, the risk is usually small, and it's a risk that every one us takes every day.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Ok, good. Thus adding third-party Root CA cert. to the NTAuth store will not allow it to issue certs, it will just allow clients to trust the certs issued by that CA? – Volodymyr Molodets Aug 14 '15 at 13:54
  • That is correct. – Ryan Ries Aug 14 '15 at 13:57
  • @RyanRies unfortunately, you are incorrect. – Crypt32 Aug 14 '15 at 18:47
  • @CryptoGuy... here is a Microsoft KB article specifically about importing 3rd party certs to the NTAuth store. https://support.microsoft.com/en-us/kb/295663 It's a thing that people can do. I didn't say anything that was incorrect. Whether the certificate is from a root CA or an issuing CA is a minor technicality that doesn't substantively affect what I said. – Ryan Ries Aug 14 '15 at 19:17
  • it has nothing to do with RADIUS certificate as "This process is required if you are using a third-party CA to issue smart card logon or domain controller certificates.", while RADIUS certificate is somewhat like regular SSL certificate that proves RADIUS identity. – Crypt32 Aug 14 '15 at 19:20